Re: [webauthn] Possibility to filter displayed authenticators by certified level (#1816) from Nick Steele via GitHub on 2022-12-15 (public-webauthn@w3.org from December 2022)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Dec 2022 23:55:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1353895045-1671148554-sysbot+gh@w3.org>

This has come up before many times, and while there is a desire to have it understandably, there is a lack of _browser vendor_ desire to implement it, the reasons for which can be read in myriad prior issues regarding the same topic. I would refer you to @agl's [statement from a prior issue discussion](https://github.com/w3c/webauthn/issues/1688#issuecomment-1011516074), which discusses the authenticator selection extension (and by extension, this topic)

>About the authenticator selection extension itself: We have never implemented it because we don't feel that authenticator discrimination is broadly a good thing. Multiple different RPs might each have locally valid reasons for wanting to select the authenticators that are permitted on their site, but the sum of this is that users need to have multiple authenticators to span the set of different site policies that they encounter, they have to remember which goes with each site, and they can't have the expectation that a given security key will broadly work where they want to use it.

This is a fair point, and one I agree with. Giving the outright ability to discriminate authenticators upon registration could end up being a broad negative and source of frustration for users, and there are ways of handling filtration after a registration attempt that allow for better UX, for example:

1. A user comes to the site with an excluded authenticator (one of many excluded from the given RP)
2. User attempts to register. If this was excluded prior to registration verification, the client would tell the user this was one of the excluded authenticators, but probably wouldn't have insight into _which_.
3. User's registration attempt fails after attempted verification, but the RP now has insight into _which_ authenticator failed.
4. RP informs user with how to remediate.

Either way, I don't think we shouldn't be limited general consumer user authenticator enrollment, and again, there's no desire by platforms on this topic.

--
GitHub Notification of comment by nicksteele
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1816#issuecomment-1353895045 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 December 2022 23:55:58 UTC